Storm Trojan to target Mexican hurricane

Warning over new version of malware

The Storm Trojan horse which sent fake news accounts of a massive series of wind storms that struck Europe earlier this year may soon start touting Hurricane Dean, the Category 5 storm that slammed into Mexico this week, security researchers said.

Storm, also known as Peacomm, started life in January as malware attached to messages claiming to provide news of a massive series of wind storms that struck Europe in January. One of the first Storm-bearing messages dangled the subject head "230 dead as storm batters Europe" to tempt users into launching the file. Recipients who clicked on the attached executable were infected by the Trojan horse, which turned their systems into spam-spewing zombies.

Symantec researchers are betting that the malware's makers will try the same trick with Dean.

"We expect it to again come on the back of big news items," said Alfred Huger, vice president of engineering at Symantec's security response group.

Huger's prediction is based on analysis done by Hon Lau, a senior security response manager at Symantec. Hon's take, spelled out in a posting to Symantec's blog, is that Storm's creators are, if nothing else, very adept at crafting socially engineered messages persuasive enough or tempting enough to get people to launch files or click on links.

"In particular, they have a knack for latching on to the latest newsworthy events and capitalising on the public interest in them," Hon said. "And if no newsworthy events are happening at the time, then they will just make them up."

Although Storm, which Symantec calls Peacomm, is currently being spread by a different campaign inviting users to join various 'clubs', ranging from mobile phone ring-tone and photo groups to wine-tasting and cooking clubs, Hon expects to see Dean-related messaging soon. "As Dean lash[es] the areas around the Gulf of Mexico, don't be surprised to get emails about damage or death caused in its wake," he said.

"[Storm's makers] tend to try to take advantage of the newest news," agreed Huger, who also explained the likely motive. "I expect that they have a better take-up rate when they use news." But other than their social-engineering skills, Storm's creators haven't impressed him much, even though others have fingered the malware as the basis for building large botnets that have unleashed record levels of spam, especially pump-and-dump, stock-scam junk mail. "It's about average," Huger said. "A little more sophisticated maybe, but it doesn't really stand out."

The reason why Storm has attracted as much interest as it has - it's the most written-about piece of malware so far in 2007 - is simple, said Huger. Security researchers sometimes fixate on one worm or Trojan horse or virus, perhaps because it's initially interesting. For whatever reason, some of those researchers "dive right to the very bottom" of the code, Huger added, a chore that's impossible to duplicate for every one of the hundreds of new worms and Trojan horses released each month.

Where one researcher treads, others may soon follow. And when lots of them pile on, said Huger, "all that research leads us to believe that this is unique or different, when in fact it's not".

Symantec yesterday identified the newest variation of the Trojan horse as Peacomm.c and posted its usual malware write-up here.